XML Signature (also called XMLDSig, XML-DSig, XML-Sig) defines an XML syntax for digital signatures and is defined in the W3C
recommendation XML Signature Syntax and Processing. Functionally, it has much in common with PKCS#7
but is more extensible
and geared towards signing XML documents. It is used by various Web technologies such as SOAP, SAML, and others.
XML signatures can be used to sign data–a resource–of any type, typically XML documents, but anything that is accessible via a URL can be signed. An XML signature used to sign a resource outside its containing XML document is called a detached signature; if it is used to sign some part of its containing document, it is called an enveloped signature; if it contains the signed data within itself it is called an enveloping signature.
1 Configure XML-DSig
You can configure a few parameters before signing a document.
1.1 Select Digest method
You can select any of the available methods (default is SHA256):
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
- RIPEMD160
- SHA3_224
- SHA3_256
- SHA3_384
- SHA3_512
<script> var dbf = new Ax.xml.DocumentBuilderFactory(); dbf.setNamespaceAware(true); var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>"); var dst = new Ax.crypt.XMLDSig(xml); console.log(dst.getDigestMethod()); dst.setDigestMethod("SHA512"); </script>
1.2 Select Signature method
You can select any of the available methods (default is RSA_SHA256):
- DSA_SHA1
- DSA_SHA256
- ECDSA_SHA1
- ECDSA_SHA1224
- ECDSA_SHA256
- ECDSA_SHA384
- ECDSA_SHA512
- HMAC_SHA1
- HMAC_SHA224
- HMAC_SHA384
- HMAC_SHA512
- RSA_SHA1
- RSA_SHA224
- RSA_SHA256
- RSA_SHA384
- RSA_SHA512
- SHA1_RSA_MGF1
- SHA224_RSA_MGF1
- SHA224_RSA_MGF1
- SHA384_RSA_MGF1
- SHA512_RSA_MGF1
Signature method is usualy based on the type of key. If you use a RSA key, signature method should be a RSA method. If you use a DSA key, signature method should be a DSA method.
<script> var dbf = new Ax.xml.DocumentBuilderFactory(); dbf.setNamespaceAware(true); var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>"); var dst = new Ax.crypt.XMLDSig(xml); console.log("Digest Method ...: " + dst.getDigestMethod()); dst.setDigestMethod("SHA512"); console.log("Signature Method : " + dst.getSignatureMethod()); dst.setSignatureMethod("RSA_SHA1"); </script>
1.3 Select Canonicalization method
CanonicalizationMethod (transform) method can selected by using one of the following constants (default is ENVELOPED).
ENVELOPED | http://www.w3.org/2000/09/xmldsig#enveloped-signature |
INCLUSIVE | http://www.w3.org/TR/2001/REC-xml-c14n-20010315 |
INCLUSIVE_WITH_COMMENTS | http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments |
EXCLUSIVE | http://www.w3.org/2001/10/xml-exc-c14n# |
EXCLUSIVE_WITH_COMMENTS | http://www.w3.org/2001/10/xml-exc-c14n#WithComments |
BASE64 | http://www.w3.org/2000/09/xmldsig#base64 |
XPATH | http://www.w3.org/TR/1999/REC-xpath-19991116 |
XPATH2 | http://www.w3.org/2002/06/xmldsig-filter2 |
<script> var dbf = new Ax.xml.DocumentBuilderFactory(); dbf.setNamespaceAware(true); var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>"); var dst = new Ax.crypt.XMLDSig(xml); dst.setDigestMethod("SHA512"); dst.setSignatureMethod("RSA_SHA1"); dst.setCanonicalizationMethod("ENVELOPED"); console.log("Digest Method ...: " + dst.getDigestMethod()); console.log("Signature Method : " + dst.getSignatureMethod()); console.log("is Enveloped?... : " + dst.isEnveloped()); </script>
1.4 Signature Namespace
This method allows to define the name of namespace for signature tag generated by XMLDsig.
<script> // Load a keystore var ks = new Ax.ks.KeyStoreManager("https://bitbucket.org/deister/axional-docs-resources/raw/master/KeyStores/swview/jks-files/jack.jks", "secret"); var dbf = new Ax.xml.DocumentBuilderFactory(); dbf.setNamespaceAware(true); var xml = dbf.parse("<rootxmldoc><tag1 /></rootxmldoc>"); var dst = new Ax.crypt.XMLDSig(xml); dst.setDigestMethod("SHA512"); dst.setSignatureMethod("RSA_SHA1"); dst.setEnveloped(false); dst.setNamespacePrefix("ds"); console.log("Digest Method ...: " + dst.getDigestMethod()); console.log("Signature Method : " + dst.getSignatureMethod()); console.log("is Enveloped?... : " + dst.isEnveloped()); // Sign the document using keystore provate key alias "jack" with password "moon" console.log(dst.sign(ks, "jack", "moon")); </script>
2 Examples
The following example signs an XML document.
<script> // Load a keystore var ks = new Ax.ks.KeyStoreManager("https://bitbucket.org/deister/axional-docs-resources/raw/master/KeyStores/swview/jks-files/jack.jks", "secret"); // Load an XML document var src = new Ax.xml.XMLDocument(new Ax.net.URL('https://bitbucket.org/deister/axional-docs-resources/raw/master/XML/books.xml')); // Sign the document using keystore provate key alias "jack" with password "moon" var dst = new Ax.crypt.XMLDSig(src).sign(ks, "jack", "moon"); // Show the returned XML document String console.log(dst); </script>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<catalog>
<book id="bk101">
<author>Gambardella, Matthew</author>
<title>XML Developer's Guide</title>
<genre>Computer</genre>
<price>44.95</price>
<publish_date>2000-10-01</publish_date>
<description>An in-depth look at creating applications with XML.
</description>
</book>
...
<book id="bk112">
<author>Galos, Mike</author>
<title>Visual Studio 7: A Comprehensive Guide</title>
<genre>Computer</genre>
<price>49.95</price>
<publish_date>2001-04-16</publish_date>
<description>Microsoft Visual Studio 7 is explored in depth,
looking at how Visual Basic, Visual C++, C#, and ASP+ are
integrated into a comprehensive development
environment.
</description>
</book>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>zolcPXUMCIref0InS0KhgpYS6u7J6SgrAEpj//MjClU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>TtFgg6rNkwBtwshvmocjcFk2hbDYivf20ywWEgEXN7onIAXMP3sk9yHR35IssO8s6rS0BWb7LTf6
AwM3d3nogv3g18uZUDyjI9qOX6XeDP5/K/rzC1gie0OV9EMBJ7PWoigB1K97I+Ab1nSzLs6kQkja
VLCGd82FYaEOLTkZ6Es=</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>CN=Jack Daniel,OU=Training,O=Software View,L=Colombo,ST=Western,C=LK</X509SubjectName>
<X509Certificate>MIIC9jCCAl+gAwIBAgIJAParOnPwEkKlMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYDVQQGEwJMSzEQ
MA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21ibzEWMBQGA1UEChMNU29mdHdhcmUgVmll
dzERMA8GA1UECxMIVHJhaW5pbmcxLDAqBgNVBAMTI1NvZnR3YXJlIFZpZXcgQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MB4XDTEwMDcxMDA2MzMxOFoXDTI0MDMxODA2MzMxOFowcjELMAkGA1UEBhMCTEsx
EDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xFjAUBgNVBAoTDVNvZnR3YXJlIFZp
ZXcxETAPBgNVBAsTCFRyYWluaW5nMRQwEgYDVQQDEwtKYWNrIERhbmllbDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAqAIsXru2kWzNXidrgyapDb7GdmhUwNFx1rOimDyu2RrJN9sIv0Zi2B0K
p1xSQiBPWabXbtt3wB1LzS2P19tMC+MW7BTYz0mRg4n9vSoa+mTJ3Ea6/v4W97a701BSEOlTxysV
ltqgO+D3gD9uNVpjiCNjXP3FlXrw44aDnXwme3sCAwEAAaN7MHkwCQYDVR0TBAIwADAdBgNVHQ4E
FgQUDp+pbeXQHmYiubDctF8b+C4g6V0wHwYDVR0jBBgwFoAU1rdiaEM7sE7BtSqZhTWT9Tqn9RQw
LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMA0GCSqGSIb3DQEB
BQUAA4GBACcLqPwC9cATSqe+Kes5r6kcgo8eN3QME+HVSQocFSaRVrZ8iOrl0NAXway2JOGdjIFC
n2gU4NAkrDAzjJ1AlwrfCT/1FDL5hu4BTdY13ZpwBf5MU6LB6x2tc+Jbo4bQrskEEIfGpOcyuB/w
BJtJQeONjLuY2ouX9pvaaHj2cpzS</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</catalog>